Received: by taz.hyperreal.com (8.8.3/V2.0) id VAA15855;
 Sat, 30 Nov 1996 21:42:20 -0800 (PST)
Received: from sierra.zyzzyva.com by taz.hyperreal.com (8.8.3/V2.0) with ESMTP
 id VAA15844; Sat, 30 Nov 1996 21:42:15 -0800 (PST)
Received: from sierra.zyzzyva.com (localhost [127.0.0.1]) by
 sierra.zyzzyva.com (8.8.2/8.8.2) with ESMTP id XAA16115 for
 <new-httpd@hyperreal.com>; Sat, 30 Nov 1996 23:42:28 -0600 (CST)
Message-Id: <199612010542.XAA16115@sierra.zyzzyva.com>
To: new-httpd@hyperreal.com
Subject: Re: Bug fix for mod_access check of remotehost 
In-reply-to: fielding's message of Sat, 30 Nov 1996 05:47:10 -0800.
         <9611300547.aa00729@paris.ics.uci.edu>
X-uri: http://www.zyzzyva.com/
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Sat, 30 Nov 1996 23:42:27 -0600
From: Randy Terbush <randy@zyzzyva.com>
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

+1

This is a nice one to fix.


> I believe the following patch correctly fixes the problem noted by
> Dean a long time ago, namely
> 
> >P.P.S.  Hostnames such as "123.hotwired.com" are valid, yet find_allowdeny
> >does not properly handle them.  This should be put on Known Bugs.  Be
> >careful when fixing this because just removing the isalpha() check creates
> >a security hole, consider the DNS map "1.1.1.1.in-addr.arpa IN PTR 2.2.2."
> >if the user has a config line "allow from 2.2.2" it will allow 1.1.1.1 in
> >(unless -DMAXIMUM_DNS).  -- which is bad because it breaks people who
> >understand double reverse lookup and are trying to avoid it by using
> >only ip addresses on allow/deny statements.
> 
> .....Roy
> 
> Index: mod_access.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/mod_access.c,v
> retrieving revision 1.10
> diff -c -r1.10 mod_access.c
> *** mod_access.c	1996/11/18 19:40:49	1.10
> --- mod_access.c	1996/11/30 13:39:25
> ***************
> *** 167,178 ****
>       return (what[l] == '\0' || what[l] == '.');
>   }
>   
>   int find_allowdeny (request_rec *r, array_header *a, int method)
>   {
>       allowdeny *ap = (allowdeny *)a->elts;
>       int mmask = (1 << method);
> !     int i, gothost=0;
> !     const char *remotehost=NULL;
>   
>       for (i = 0; i < a->nelts; ++i) {
>           if (!(mmask & ap[i].limited))
> --- 167,185 ----
>       return (what[l] == '\0' || what[l] == '.');
>   }
>   
> + static int is_ip(const char *host)
> + {
> +     while (*host && ((*host == '.') || isdigit(*host))) host++;
> +     return (*host == '\0');
> + }
> + 
>   int find_allowdeny (request_rec *r, array_header *a, int method)
>   {
>       allowdeny *ap = (allowdeny *)a->elts;
>       int mmask = (1 << method);
> !     int i;
> !     int gothost = 0;
> !     const char *remotehost = NULL;
>   
>       for (i = 0; i < a->nelts; ++i) {
>           if (!(mmask & ap[i].limited))
> ***************
> *** 191,205 ****
>   	
>   	if (!strcmp (ap[i].from, "all"))
>   	    return 1;
> ! 	if (!gothost)
> ! 	{
>   	    remotehost = get_remote_host(r->connection, r->per_dir_config,
> ! 					 REMOTE_HOST);
> ! 	    gothost = 1;
>   	}
> !         if (remotehost != NULL && isalpha(remotehost[0]))
> !             if (in_domain(ap[i].from, remotehost))
> !                 return 1;
>           if (in_ip (ap[i].from, r->connection->remote_ip))
>               return 1;
>       }
> --- 198,217 ----
>   	
>   	if (!strcmp (ap[i].from, "all"))
>   	    return 1;
> ! 
> ! 	if (!gothost) {
>   	    remotehost = get_remote_host(r->connection, r->per_dir_config,
> ! 	                                 REMOTE_HOST);
> ! 
> ! 	    if ((remotehost == NULL) || is_ip(remotehost))
> ! 	        gothost = 1;
> ! 	    else
> ! 	        gothost = 2;
>   	}
> ! 
> !         if ((gothost == 2) && in_domain(ap[i].from, remotehost))
> !             return 1;
> ! 
>           if (in_ip (ap[i].from, r->connection->remote_ip))
>               return 1;
>       }